Success with Hybrid Cloud: Best Practices for Deploying a Hybrid Cloud

Over the last two “Best Practices” posts, I’ve looked at how to Plan and Build a Hybrid Cloud, and with these technical exercises complete, this post will focus on the best practices for deploying this carefully planned and built Hybrid Environment.

Also of note: There is a SPF Server entry for the Remote Console that is part of IaaS, and SPF itself supports up to five VMM stamps.

The best practices for the setup and operation of Service Provider Foundation can be complex without some insight, so I’ll begin with six key pitfalls to avoid during setup:

SPF IIS App Pool needs to run with a Domain Account that is also a VMM Administrator.

This Domain Account must be a member of the 4 local SPF Groups.

The user of this account needs to register SPF in Windows Azure Pack, otherwise Service Management Automation may encounter issue when attaching Runbooks to SPF Action. A local user can be used if no Runbooks are attached to SPF Actions, however.

This account also needs access to the SQL Server that you specify during deployment.

Windows Azure Pack

Windows Azure Pack (WAP) for Windows Server is a collection of Windows Azure technologies that run on top of Windows Server 2012 R2 & System Center 2012 R2 and enable a consistent cloud experience across public, private and hybrid clouds.

I’ve posted many times before on the importance of consistency across your clouds, and, while I don’t want to beat on too much again, it simply cannot be overemphasized that Microsoft is the only organization in the world operating an at-scale, global Public Cloud and then taking what we learn and delivering it for you to use in your datacenter. WAP is concrete evidence of this work.

For the purposes of Deployment, I’m going to focus on three specific resources delivered by WAP: IaaS, Websites, and Databases. If you aren’t familiar with WAP (or if you don’t have it already), I recommend reading this deployment overview for WAP and Windows Server, and this overview of WAP installation and configuration.

IaaS

Windows Azure Pack is a core component of the infrastructure-as-a-service capabilities we deliver through Windows Server and System Center. Our IaaS capabilities allow you to host Windows and Linux virtual machines in a cloud architecture in your datacenters. These capabilities also include a VM Gallery, scaling options, VM access options and virtual networks. To learn more about the specifics of Microsoft’s IaaS offering, I recommend this article.

Three important elements of the IaaS features include SDN, Remote Console, Gallery items, and VM templates.

Software-defined Networking

A major milestone in networking is the platform capability of an inbox NVGRE Gateway to bridge communication from a VM/Tenant Network to networks outside of the virtualized network. Check out these links for more information on the virtual network capabilities delivered through the platform and how they work within WAP.

When deploying the HA NVGRE Gateway Service Template available as a free download via the Web Platform installer, keep in mind these three things:

A host cluster is required for placing the HA Gateway Service (PA Address).

Don’t make the Gateway VMs highly available because if this occurs the CA Address will no longer follow PA Address.

Don’t configure your virtual switch manually with absolute QoS mode.

Remote Console

One of the improvements to Virtual Machines is the ability to get a direct connection to the console session. There are a lot of scenarios where this is hugely important, and one in particular is addressing a situation where a tenant miss-configures the network settings and can no longer connect via Remote Desktop. Instead of going through the process of opening a support ticket, the tenant can now fix the problem independently by using the new console connect option.

This diagram outlines the components required when accessing the VM Console from an untrusted network.

You can find detailed setup, installation, and configuration instructions in this guide.

Certificate requirements seem to cause some confusion in this configuration, so let’s examine this for a moment: The certificate used to sign the token between VMM, RD Gateway Plugin and the Hyper-V Host is different from the certificate used to sign the RDP file that gets downloaded in the tenant portal and opened by the client computer. The certificate to sign the RDP file must have the FQDN of the RD Gateway as CN.

Gallery Items

Windows Azure Pack includes a VM Gallery that contains VM Roles. A VM Role technically consists of two parts:

Part of this configuration of VM Roles requires you to assign specific tags to virtual hard disk images. This configuration also requires the Operating System, Family Name, and Version of the virtual hard disk to be specified. To make this process straightforward, each VM Role example comes with a deployment guide that outlines these requirements. There is also a wide range of example gallery items currently available through the Web Platform Installer, but you can also build your own Gallery Items using the VM Role Authoring Tool.

To get much deeper on this topic, check out these additional posts from the engineers who’ve built these features:

Websites for Windows Azure

The website component of Windows Azure Pack provides high-density, multi-tenant web hosting services. This is a scalable, shared, and secured web hosting platform for template-based web applications and programming languages like ASP.NET, PHP, and Node.js. This is a capability we innovated in Azure, proved in Azure, and we have now delivered it for you to run in your datacenters. With this functionality you can run 5,000 web sites on a single Windows Server OS instance. To deploy this component, visit this page.

Use of Proxy Servers

Have you ever tried to create a new website based on a Gallery item but found the list empty? The cause of this is very likely that you are blocked by your proxy server. The typical troubleshooting process for this includes checking the proxy server log files and then verifying if you can reach the gallery URL in a web browser on the machine that has the Web Application Gallery component installed.

Offline Gallery

If you are working in a secure environment where you want to control which web application gallery items are available to your tenants, you may consider using an offline copy for the Gallery. This arrangement also allows you to do code reviews and approve the gallery items. For an in-depth overview of the necessary steps to do this, check out this detailed post.

File Server

Windows Azure Pack Web Sites requires a File Server. This can be a standalone File Server, File Server Cluster, or a third party NAS device. For more insights about all the requirements, check out this article.

Databases

Windows Azure Pack has the capability to support Microsoft SQL Server or MySQL Database hosting for tenants or, Database as a Service (DbaaS). These databases are often used in conjunction with Web Sites Services, and are also offered as part of the Windows Azure Pack. To learn more about installing and configuring the SQL Server and MySQL resource providers, checkout this overview. Also note that for this database functionality you must first license and deploy instances of MySQL or SQL Server outside of WAP (in this way, WAP is used as a means to provision database services).

To provide high availability for your tenant databases you can use SQL AlwaysOn Availability Groups. SQL AlwaysOn enables you to use Azure as an extension of your datacenter for backup and disaster recover or your databases – a very cool and easy to use hybrid cloud scenario. This feature is part of SQL Server Enterprise Edition. With SQL Server 2012 these backup/DR scenarios are available with manual scripting provided by the SQL engineering team on MSDN; with SQL Server 2014 these scenarios will be much easier with a UI that is built into SQL Server Management Studio.

The latest version of MySQL can be obtained and installed via the Web Platform Installer. The configuration step that is specific to MySQL is to enable remote login. If you miss that important step you will not be able to register MySQL Servers in the Admin Portal.

Service Management Automation

Service Management Automation (SMA) is a new component that comes as part of System Center (available on the Orchestrator image). SMA enables you to perform automation in the cloud, and, like SPF, SMA exposes an extensible OData web service. SMA leverages Runbooks to enable automation in the Windows Azure Pack. SMA Runbooks are Windows PowerShell Workflow scripts, which can be imported and/or authored right within the Windows Azure Pack. Runbook execution can be scheduled, triggered by a WAP/SPF event, or manually initiated. With this in mind, one of the primary uses of Automation within WAP is to execute Runbooks based on other WAP actions, e.g. starting a Virtual Machine.

A couple noteworthy best practices for setting up and operating Service Management Automation are:

Like SPF, SMA IIS App Pool needs to run with a Domain Account.

In order to execute Runbooks that use SPF, certificates need to be issued for the SMA server and SPF server which trust each other.

Runbooks needs to be “tagged” in order to be used for automation (e.g. to show up under VM Automation, a Runbook needs to be tagged with SPF).

For further reading on this particularly complex topic, I recommend the following links:

WAP Authentication Providers

Windows Azure Pack supports multi-tenant authentication by using claims-based authentication. This offers a flexible way to authenticate users logging into Windows Azure Pack by providing support for a wide range of authentication technologies like ADFS, SAML, WS and others. Once authenticated a user will be given access to (and can then consume) services within WAP based on assigned subscriptions. By default the WAP Tenant uses .Net authentication, but can easily be changed to use other authentication providers. The WAP Admin Portal uses Windows Authentication by default, but this can also be changed to use ADFS.

Authentication in WAP allows you to do the following two things:

Provide administrative access to users from its own Active Directory.

Provide self-service access to the Tenant Portal to users from a tenant.

Some noteworthy best practices for the setup and operation of authentications are:

Migration

Integration of WAP to an existing System Center deployment. This scenario targets IaaS workload only.

If you made a bet on Windows Azure Services for Windows Server when it was released earlier this year, definitely take the time to get the newer (and free!) Windows Azure Pack to start taking advantage of the new features. The detailed step by step guide can be found in the link below.

The second scenario mentioned above is all about ensuring existing Virtual Machines show up in WAP Tenant Portal as expected, owned by the appropriate tenant user role.

Recent Posts from EMS Leaders

Everyone (and I mean everyone) on the Microsoft 365 team has been pursuing some very ambitious goals in the ten months since we launched Microsoft 365. Those goals have all been laser focused on one key thing: Helping our customers effectively navigate their own unique path towards the digital transformation that they need to succeed...

Howdy folks, Today I’m happy to announce the public preview of the PingFederate configuration integration in the latest release of AADConnect. With this release customers can easily and reliably configure their Azure Active Directory environment to use PingFederate as their federation provider, and we’re excited to offer a more seamless integration experience to our customers....

If you ever got to shadow a Microsoft leader for a day and listen in on the meetings they attend, I think you’d be surprised by how much time is spent talking about how to support the day-to-day work done by IT Pros. We think about this constantly. A lot of answers to these questions...

On Wednesday we announced that the Microsoft Intune APIs being surfaced through Microsoft Graph have been moved from “preview” to Generally Available. We are really excited about this milestone, and we look forward to learning how to make it even better as you give us feedback and direction on the way you want to use...

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsoft’s technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a...